How to start a career in penetration testing
Cyber security is a smart way to go for students looking at their job prospects or people considering a change in career direction. Not only are roles in cyber security generally well-paid, but there are plenty to go around.
There is currently what’s being called a ‘digital skills crisis’ in the United Kingdom (“UK”). A government study into cyber talent found that the cybersecurity recruitment pool has a shortfall of 10,000 people each year. The same study found that this skills gap currently impacts 93% of technology companies in the UK. The demand for skilled cyber security professionals is high.
Cyber security, of course, is a broad term that encompasses many roles: security consulting, engineering and penetration testing are just some of the career choices within this field. A government study found that the UK’s cybersecurity recruitment pool has a shortfall of 10,000 people a year.
Below, we’ll take a further look at the skills, qualifications and attributes you need for a successful career in penetration testing. If you’d like to learn more about how penetration testing works, read our in-depth guide to pen-testing.
What is Penetration Testing?
Penetration testing is a method of assessing the security of a computer system, application or network by mimicking the actions of a real-world attacker to discover potential attack vectors and vulnerabilities.
Penetration testing uses various manual techniques combined with automated tools to analyse the target for potential vulnerabilities and then attempt to exploit them. Exploitable vulnerabilities typically include known security flaws in hardware or software, poor configuration, or operational weaknesses.
The most common forms of penetration testing are infrastructure testing, in which servers, firewalls and other systems are tested for weaknesses in an attempt to move through the target network; and web and mobile application testing, which identifies vulnerabilities in online software. Other types of penetration testing include wireless, API, virtual desktop breakout and secure build testing. Additionally, staff-focused testing such as phishing and social engineering can be undertaken to assess the success of security training within the company.
What does a penetration tester do?
In the role of a penetration tester, you will conduct authorised examinations of computing infrastructure to discover security weaknesses that malicious actors could otherwise exploit. As well as identifying these issues, you will also offer advice on how to remediate vulnerabilities and improve security maturity based on your findings.
You can choose to specialise in a particular type of penetration testing, such as:
- networks and infrastructure testing
- Windows, Linux and Mac operating systems
- Web/mobile application testing
- Operational Technology (OT) / Industrial control Systems (ICS)
- Internet of Things
Penetration testers sometimes work in-house for large technology companies, where ensuring infrastructure security is essential. More typically, though, penetration testers work for security consultancies, where they assist various clients with penetration testing.
Is penetration testing the right career for you?
Science, technology, engineering and maths undergraduate degrees lend themselves well to careers in computer security. However, graduates that take other subjects can also thrive in this profession. There are also master’s degrees available across the UK, specialising in information security. A postgraduate degree can be an excellent way to segue into a career in penetration testing.
Along with having relevant qualifications, penetration testers should aim to achieve one or more recognised certifications. These assure clients that you and your company conduct and document testing in line with the highest legal, ethical and technical standards. These include:
- CREST Registered Penetration Tester (CRT)
- Offensive Security Certified Professional (OSCP)
- GIAC Penetration Tester (GPEN) Certification
- Cyber Scheme Team Member / Cyber Scheme Team Leader (CSTM/CSTL)
Your employer may support you in gaining these qualifications, but some can also be achieved via self-study.
Character-wise, penetration testing is an excellent career choice for people who enjoy problem-solving, have an analytical mind and have a keen interest in technology infrastructure. To be a successful pen-tester, you will also need to cultivate soft skills such as communication and interpersonal relations, so you can liaise confidently with colleagues and clients.
If you are curious to learn more about penetration testing, then Cyber Security Challenge UK has created a number of free cyber security games and competitions that enable you to learn, improve and test your security skills. Other providers to consider include Hack The Box and TryHackMe.
How to get started in penetration testing
One of the best ways to begin your career in penetration testing is through an internship, work placement or apprenticeship. Many employers offer summer work experience placements and internships to undergraduates and those that have just graduated. These placements can be a great way to test out a role in security and see if it is a good fit for you.
Often, these placements can pave the road for a more permanent job in the organisation once the student has graduated. As well as this, employers typically advertise internships, placements and job roles widely – using a mixture of job board websites, recruitment agencies and even direct advertisements on their own website. At Evalian®, for example, we have our own dedicated careers page.
Resources to consider
If you would like to learn more about a career in cyber security and penetration testing specifically, there are a number of resources you can learn from:
- CREST Careers Guide: CREST provides internationally recognised accreditations for organisations and professional level certifications for individuals providing penetration testing. Its University Graduate Careers Guidance has a wealth of useful information for graduates looking to start a career in cyber security.
- The National Cyber Security Centre (“NCSC” ): The UK’s NCSC is a go-to resource for businesses and individuals about security threats. The body also offers NCSC-certified degree apprenticeships, Bachelor’s, Integrated Master’s and Master’s degrees.
- Cyber Security Challenge UK: This not-for-profit body has a number of resources aimed at helping candidates find roles in cyber security.
Outlook for penetration testers
Over the last twenty years, technology has become central to how we work, live and play. In line with this, the need for robust cyber security is more significant than ever before. Because of this, information security professionals are high in demand and will be for the foreseeable future.
As the digital skills shortage continues, people who choose careers in cyber security fields like penetration testing will have excellent career prospects – in a role that is not only financially rewarding but mentally challenging and enjoyable.
Need help?
If your organisation needs help running a penetration test on an application or infrastructure, we’re here to help. We can assess your environment and run a full penetration test. We can also advise you on any follow-up actions, remediations and vulnerability management from our findings. Contact us for a friendly chat.
